I wanted to call a SPRING MVC action using HttpURLConnection, just wanted to run this as a background action.....
String logoutUrl = "http://www.mysite.com/logout.sho";
URL url = new URL(logoutUrl);
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
etc etc....
The code runs perfectly fine but the action was not performed. But, if I try to perform this action using browser: http://www.mysite.com/logout.sho, it logs out me. Kindly let me know how to tackle this issue or any other way to solve this problem.
If you open a URL connection with a Java program, you're not using the same session ID as the one used by your browser, so obviously, logging out from Java doesn't log you out from the browser.
Imagine if that works, I would just need to write a program which logs out from gmail.com, and everybody gmail user would be logged out.
It's because Spring MVC recognizes your HttpURLConnection as a completely separate, independent session (user). Try opening this URL in a different browser or from a different computer - obviously it won't log you out.
The reason you are not recognized is because you do not provide any session-tracking information like JSESSIONID cookie or rewritten URL. You can pass them from Java, but it's a bit of a hack. It works from your browser simply because every request to mysite.com includes JSESSIONID cookie transparently and Spring MVC maps it to an active session.
That being said, what do you want to achieve?
Related
Grails 2.4.4
Guys, I am working on an grails application and I have a requirement where I have to render pages from same application into different host URL's
For example:
Home page url (pre-login) should be www.mydomain.com
Home page url (post-login) should be home.mydomain.com
Login page url should be login.mydomain.com
Register page url should be register.mydomain.com
and Rest pages url should be inner.mydomain.com
All the above urls are added as an alias in tomcat -> server.xml file and is pointing to same application directory.
I have created a static method which according to controller and action determines and return the host url. I am using this method from grails filter.
I then just replace the old host url with the new generated one and then issue a normal redirect url.
The problem I am facing here is, if the app is not loggedin, than all works well. But when I try to login from host url login.mydomain.com, then spring security creates session only for login.mydomain.com. Session is not created for home.mydomain.com and hence I am not redirected to post-login home.mydomain.com but instead redirected back to pre-login www.mydomain.com
So, can you someone tell me what is the correct way to achieve this. Can I change my host url without effecting my locale, cookies and session? Can Spring security authenticate multiple host at the same time?
Is there any java way to do this?
Any other suggestions?
Please let me know if more inputs are needed
I am designing a third party application that requires a POST request to be sent to a php file on a website and hopefully I should get a response. The site requires me to be logged in in order to make this request normally through the site by pressing a button on it. If I do
Url obj = new URL("http://www.dota2lounge.com/ajax/bumpTrade.php";
HttpUrlConnection con = (HttpUrlConnection) obj.openConnection();
con.setRequestProperty("User-Agent", "Chrome/36.0.1916.144");
And then continue to carry out the POST request, will the site recognize that I am sending this from my Chrome browser in which I am already logged in? Thanks
will the site recognize that I am sending this from my Chrome browser in which I am already logged in?
No, it will not. Imagine how easy it would be to spoof the authentication system of a web application if it worked that way.
Logins typically work by sending Cookies or other headers. You need to send those to authenticate your request. For this to work as if you were logged in with your Chrome application, you'll need to find the corresponding cookies that Chrome stored and send those.
You can find from the link i shared how you can make the authentication.
https://stackoverflow.com/a/3283496/1257445
After you have made an authentication you can make a post request using the session
I developed the webapplication with Struts2.after logging to the my application copy the url and paste to the same browser with different tab then its going to directly without restrict.in that situation i want restrict it.
but same url copy and paste to another browser its working fine .only same browser and different Tab then only problem
This is because your browser has stored your login authentication in the session. It will remember this until you either
Close all windows of the browser or
Choose New Session from the menu
If your question is about your development cycle take a look op answer of #Keppil.
If however you are asking about real user experience this is more complicated. Browser indeed remembers your session ID in cookie and sends it on each request. To override this mechanism you can create your own tokens that will be always appended to URL.
When token is supplied it should send redirect response to URL without token.
The server side should throw user to login screen every time the token is not supplied and the request is not from redirect.
I have never tried to do this and I am not sure you really want to implement this. The ability of browser to connect to same session even if user opens another tab or browser window is very convenient and widely applicable.
i want to login into an web-application and want to perform some search operation after login. I am using httpclient for this and i am able to login and fetching the data of that page but i didn't get anyway to perform post operation say searching of any user account after login. As it is asking for login again. Please provide any way or idea to do this?
When you login into a site the server usually sends you back a cookie containing your session id, or the jsessionid header. Try sending this jsessionid and its value back to the server in the post-login operation.
This may not work, because the server can force you to use cookies. This is just an idea of the scenario often found around there.
Its not httpclient, but there is a browser automatization framework called selenium.
look here for an explanation how to use cookies in java, using the java.net APIs http://www.hccp.org/java-net-cookie-how-to.html
I have had a scoping issue with a session cookie not being visible in the past. You "may" have the same issue.If you know the session cookie is being created after you have logged in successfully, try adding a call to setDomainMatchingStrict(false)
import com.meterware.httpunit.cookies.CookieProperties;
WebConversation wc = new WebConversation();
CookieProperties.setDomainMatchingStrict(false); // <- the important bit
So I went through the steps to build a basic roo application here: http://static.springsource.org/spring-roo/reference/html/beginning.html
I started up my server and started playing with the app, couldn't help but notice that there's a 'jsessionid' in my url:
http://localhost:8080/pizzashop/pizzas;jsessionid=0A8EA5D9E8665C8AC80F141C3818F6BA?form
I don't care for this at all! Why does it need a session id in the URL? Can I get rid of this? It does not seem RESTful to have this there.
This is standard JavaEE behavior, and is dictated and controlled by the servlet container. It has nothing to do with Spring.
See this previous question to find out why and when it gets created, and how to avoid it.
I didn't see this answer in the other question so I wanted to explain it. The way sessions work in java and I think php, is when the client first comes it, it creates a cookie and appends JESSIONID to all the urls that used <c:url/> tag. The reason it does this is because the first time the client visits the page, the server has no idea if the client supports cookies. So it does both. Next time, since it sees the cookie, it will actually not use URLs anymore because it knows cookies worked.
There is a lot of ways to disable this. If you are not using sessions at all then you can disable cookies by putting cookies=false in context.xml. This only disables cookies for the session and not regular cookies. You can then use urlrewrite to stip the sessionid.
Hope that helps.
What app server are you using? I know that Weblogic at least will always do a URL encoded session, as well as a cookie based session, on the first call at least, to see if cookies are enabled on the client. If it can't find the cookie that matches the URL session id on the next call, it will continue using the session token from the URL. I know when they switched our company over to using Sharepoint for web crawling and search the windows web guys whined for a LONG time about the issue, until they finally understood that all they had to do was turn on cookie session support.
In my case this was happening when the application was deployed on my desktop and not using https. In which case in weblogic.xml, cookie-secure should be set to false. Otherwise cookie managed session ID will only work over https.
<wls:cookie-secure>false</wls:cookie-secure>